You know, some days I wonder why it is that Zope is the
only framework around that needs to distinguish between
"trusted" and "untrusted" code. Nobody else seems to be
looking at us with envy in this regard.
Historically I know it was because there was the idea that
not-fully-trustworthy people might be able to join your site
and then add DTML to it, and you don't want such people
allowed to execute arbitrary code ... like the old zope.org
site. But does anybody anywhere actually run a site like that
nowadays? It's kind of a bizarre idea.

Not really, and that's why Zope 3 has avoided "through the web" code
so far. I hope this avoidance continues at least in "the core",
whatever that is, but I see rumblings every so often about why this
is a can't-live-without thing (with which I strongly disagree).